b'                       U.S. Department of Agriculture\n\n                          Office of Inspector General\n                           Financial & IT Operations\n\n\n\n\n             Audit Report\n\n National Information Technology Center\nGeneral Controls Review \xe2\x80\x93 Fiscal Year 2004\n\n\n\n\n                              Report No. 88501-1-FM\n                                    September 2004\n\x0c\x0cExecutive Summary\nNational Information Technology Center General Controls Review - Fiscal Year 2004\n\nResults in Brief                  This report presents the results of our audit of the Office of the Chief\n                                  Information      Officer/National    Information      Technology       Center\xe2\x80\x99s\n                                  (OCIO/NITC) internal control structure as of August 31, 2004. Our review\n                                  was conducted in accordance with \xe2\x80\x9cGovernment Auditing Standards\xe2\x80\x9d issued\n                                  by the Comptroller General of the United States including American Institute\n                                  of Certified Public Accountants Professional Standards AU Sections 316,\n                                  319, and 324 as amended by applicable statements on auditing standards.\n                                  While the center has taken significant actions to mitigate the weaknesses we\n                                  identified, the report contains a qualified opinion on the internal control\n                                  structure because certain control policies and procedures were not suitably\n                                  designed or had not yet been placed in operation at the time of our review.\n\n                                  Our objectives were to perform testing necessary to express an opinion about\n                                  (1) whether the control objectives and techniques in exhibit A for the U.S.\n                                  Department of Agriculture\xe2\x80\x99s OCIO/NITC present fairly, in all material\n                                  respects, the aspects of the OCIO/NITC\xe2\x80\x99s policies and procedures in place\n                                  and operating effectiveness during the period October 1, 2003 through\n                                  August 31, 2004, (2) whether this control structure of policies and procedures\n                                  was suitably designed to provide reasonable assurance that the specified\n                                  control objectives were complied with satisfactorily, and (3) the operating\n                                  effectiveness of the specified control structure policies and procedures in\n                                  achieving specified control objectives. In 2004, the U.S. Government\n                                  Accountability Office (GAO) issued its report on internal controls testing\n                                  within the Department.1 We conducted limited testing to determine the status\n                                  of corrective action on issues identified in that report.\n\n                                  Our audit disclosed that, except for the matters referred to below; the control\n                                  objectives and techniques identified in exhibit A present fairly, in all material\n                                  respects, the relevant aspects of OCIO/NITC. Also, in our opinion, except\n                                  for the deficiencies described below, the policies and procedures, as\n                                  described, are suitably designed to provide reasonable assurance that the\n                                  remaining control objectives would be achieved if the described policies and\n                                  procedures were complied with satisfactorily.\n\n                                  While significant improvements have been made, OCIO/NITC was still not\n                                  compliant with the requirements of Office of Management and Budget\n                                  (OMB) Circular A-130 and other Federal security guidance. Specifically,\n                                  OCIO/NITC had not (1) finalized contingency planning, (2) conducted risk\n                                  assessments consistent with Federal requirements, (3) prepared security plans\n                                  for each of its general support systems, (4) completed system certifications\n\n1\n    GAO-04-154, \xe2\x80\x9cFurther Efforts Needed to Address Serious Weaknesses at USDA,\xe2\x80\x9d dated January 2004.\nUSDA/OIG-A/88501-1-FM                                                                                       Page i\n\x0c                   and accreditations for each of its general support systems, and (5) maintained\n                   a complete inventory of systems in its midrange environment. OCIO/NITC\n                   plans to have many of these areas corrected by fiscal year end as part of its\n                   certification and accreditation process, while others have been identified in its\n                   Plans of Action and Milestones. OCIO/NITC officials informed us that\n                   meeting the requirements of OMB Circular A-130 and National Institute of\n                   Standards and Technology (NIST) security guidelines involves major efforts\n                   and requires time and resources to comply thoroughly. However, until these\n                   controls and documents are in place, OCIO/NITC cannot be assured of the\n                   confidentiality, integrity, and availability of its computer resources.\n\n                   OCIO/NITC had not ensured that all midrange server security settings were\n                   configured in accordance with departmental and NIST guidelines. Further,\n                   OCIO/NITC needed to improve management over the routers and firewalls in\n                   its general support system. This occurred because OCIO/NITC had not\n                   established a policy or implemented controls to require midrange systems and\n                   general support systems to follow OCIO or NIST configuration guidance;\n                   and OCIO/NITC security staff have not played a significant role in\n                   establishing or monitoring security over midrange and general support\n                   systems. As a result, data residing on these servers in the midrange\n                   environment could be compromised.\n\n                   OCIO/NITC has made significant improvements over logical access controls.\n                   However, further actions are needed to ensure the confidentiality and\n                   integrity of its Information Technology (IT) resources. Specifically,\n                   OCIO/NITC had not completed implementation of procedures to ensure (1)\n                   waivers were obtained for user accounts with non-expiring passwords, (2)\n                   policies and procedures outlining monitoring of security logs were\n                   implemented, (3) global system settings were fully documented, and (4)\n                   controls from the internet were properly secured. While OCIO/NITC has\n                   made significant progress to address these issues, not all of the necessary\n                   controls were in place throughout the year to ensure the confidentiality and\n                   integrity of its IT resources. Until stronger controls over access are in place,\n                   OCIO/NITC resources are vulnerable to potential fraud and misuse,\n                   inappropriate disclosure, and potential disruption.\n\n                   OCIO/NITC has improved its system change management process.\n                   However, we continued to find that approval, testing, and implementation\n                   documentation was not always maintained. While this condition was more\n                   prevalent in OCIO/NITC\xe2\x80\x99s midrange system environment, improvements\n                   over changes to its mainframe environment are still needed. Despite its own\n                   policies to document approval, testing, and implementation, OCIO/NITC had\n                   not established controls to ensure that the procedures were being properly\n                   carried out. Without proper change management controls, OCIO/NITC\xe2\x80\x99s\n                   systems are at risk of processing irregularities that could occur, or security\n\nUSDA/OIG-A/88501-1-FM                                                                       Page ii\n\x0c                   features that could be inadvertently, or deliberately omitted or rendered\n                   inoperable.\n\n                   We believe that the findings in this report, taken as a whole, constitute a\n                   material weakness in the general control structure and should be reported in\n                   OCIO/NITC\xe2\x80\x99s Federal Manager\xe2\x80\x99s Financial Information Act report.\n\nRecommendation\nIn Brief           OCIO/NITC is in the process of implementing significant actions to correct\n                   the weaknesses we identify in this report, based on prior Office of Inspector\n                   General (OIG) recommendations. Therefore, we make no additional\n                   recommendations on outstanding issues.          However, we have made\n                   recommendations for OCIO/NITC to:\n\n                   \xe2\x80\xa2    Establish a plan of action with specific milestone dates toward updating\n                        its contingency plans to meet OMB requirements, and completing\n                        business resumption plans and business impact analyses for all\n                        components of OCIO/NITC\xe2\x80\x99s network and midrange environments;\n\n                   \xe2\x80\xa2    develop a strategic plan with specific milestone dates for establishing\n                        policies and procedures to address the midrange security weaknesses we\n                        identified, and increased security involvement in the midrange\n                        environment;\n\n                   \xe2\x80\xa2    develop a control to ensure that router and firewall configurations are\n                        properly maintained, documented, and that backup configurations are\n                        stored off-site;\n\n                   \xe2\x80\xa2    establish a plan with milestone dates on when it plans to finalize its\n                        documentation of global system settings and have those settings\n                        documented in its security plan; and\n\n                   \xe2\x80\xa2    establish controls to ensure that its change management process includes\n                        adequate documentation of approval, testing and implementation.\n\nAgency Response    OCIO generally agreed with the findings and recommendations in this report\n                   and is in the process of developing corrective action plans and/or finalizing\n                   corrective actions.\n\n\n\n\nUSDA/OIG-A/88501-1-FM                                                                   Page iii\n\x0cAbbreviations Used in This Report\n\n\nBCP            Business Continuity Plan\nBIA            Business Impact Analysis\nBR             Business Resumption\nCOOP           Continuity of Operations Plan\nCS             Cyber Security (A division of the OCIO)\nDM             Departmental Manual\nDRP            Disaster Recovery Plan\nFIPS           Federal Information Processing Standards\nGAO            Government Accountability Office\nGSS            General Support System\nICS            Incident Command Structure\nID             Identification (i.e., user accounts or user identification)\nISS            Infrastructure Support Services\nIT             Information Technology\nMOU            Memorandum of Understanding\nNIST           National Institute of Standards and Technology\nNITC           National Information Technology Center\nOCIO           Office of the Chief Information Officer\nOIG            Office of Inspector General\nOMB            Office of Management and Budget\nSP             Special Publication\nUSDA           U.S. Department of Agriculture\n\n\n\n\nUSDA/OIG-A/88501-1-FM                                                        Page iv\n\x0cTable of Contents\n\nExecutive Summary .................................................................................................................................i\n\nAbbreviations Used in This Report ......................................................................................................iv\n\nReport of the Office of Inspector General ............................................................................................ 1\n\nFindings and Recommendations............................................................................................................ 3\n\n    Section 1. Security Program Management and Compliance ...................................................... 3\n\n        Finding 1             Further Actions are Needed toward Achieving Compliance with Federal\n                              Regulations.............................................................................................................. 3\n                                  Recommendation No. 1.................................................................................... 6\n                                  Recommendation No. 2.................................................................................... 6\n        Finding 2             Stronger Controls Over Management and Configuration of Midrange and\n                              General Support Systems are Needed ..................................................................... 7\n                                  Recommendation No. 3.................................................................................. 10\n                                  Recommendation No. 4.................................................................................. 10\n                                  Recommendation No. 5.................................................................................. 10\n                                  Recommendation No. 6.................................................................................. 10\n\n    Section 2. Mainframe Access Controls......................................................................................... 11\n\n        Finding 3             Mainframe Access Controls Have Significantly Improved but Additional\n                              Actions are Needed ............................................................................................... 11\n                                  Recommendation No. 7.................................................................................. 13\n                                  Recommendation No. 8.................................................................................. 13\n\n    Section 3. System Change Controls ............................................................................................. 14\n\n        Finding 4   Change Control Improvements Need to be Finalized and Implemented .............. 14\n                        Recommendation No. 9.................................................................................. 15\nExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls............................................ 16\n\n\n\n\nUSDA/OIG-A/88501-1-FM                                                                                                                          Page v\n\x0c                         UNITED STATES DEPARTMENT OF AGRICULTURE\n                                     OFFICE OF INSPECTOR GENERAL\n\n                                          Washington D.C. 20250\n\n\n\nReport of the Office of Inspector General\nTo:    Scott Charbo\n       Chief Information Officer\n       Office of the Chief Information Officer\n\nWe have examined the control objectives and techniques identified in exhibit A for the U.S.\nDepartment of Agriculture\xe2\x80\x99s (USDA), Office of the Chief Information Officer/National Information\nTechnology Center (OCIO/NITC). Our examination included procedures to obtain reasonable\nassurance about (1) whether the control objectives and techniques of the USDA\xe2\x80\x99s OCIO/NITC present\nfairly, in all material respects, the aspects of the OCIO/NITC\xe2\x80\x99s policies and procedures in place and\noperating effectiveness during the period October 1, 2003 through August 31, 2004, (2) whether the\ncontrol structure of policies and procedures was suitably designed to provide reasonable assurance that\nthe specified control objectives were complied with satisfactorily, and (3) the operating effectiveness\nof the specified control structure policies and procedures in achieving specified control objectives.\nThe control objectives were specified by OCIO/NITC.\n\nOur audit was conducted in accordance with \xe2\x80\x9cGovernment Auditing Standards\xe2\x80\x9d issued by the\nComptroller General of the United States and the standards issued by the American Institute of\nCertified Public Accountants and included those procedures necessary in the circumstances to obtain a\nreasonable basis for rendering our opinion.\n\nOur review disclosed material internal control weaknesses. We found that the OCIO/NITC needs to\nstrengthen its logical access controls; establish controls to ensure system software changes are\napproved, documented, and tested; ensure adequate security controls are in place over its midrange\nenvironment; and ensure that it is in compliance with existing Federal security guidelines.\n\nIn our opinion, except for the matters referenced to in the previous paragraph, the control objectives\nand techniques identified in exhibit A of this report present fairly, in all material respects, the relevant\naspects of OCIO/NITC. Also, in our opinion, except for the deficiencies referred to in the previous\nparagraph, the policies and procedures, as described, are suitably designed to provide reasonable\nassurance that the remaining control objectives would be achieved if the described policies and\nprocedures were complied with satisfactorily.\n\nAlso, in our opinion, except for matters discussed above, the policies and procedures that were tested,\nas described in the exhibit, were operating with sufficient effectiveness to provide reasonable, but not\nabsolute, assurance that the control objectives specified were achieved during the period from\nOctober 1, 2003 through August 31, 2004. The scope of our engagement did not include tests to\ndetermine whether control objectives not listed in the exhibit were achieved; accordingly, we express\nno opinion on achievement of control objectives not included in the exhibit.\n\nUSDA/OIG-A/88501-1-FM                                                                               Page 1\n\x0c\x0cFindings and Recommendations\nSection 1.   Security Program Management and Compliance\n\n                     An entity-wide program for security planning is the foundation of a security\n                     control structure and a reflection of senior management\xe2\x80\x99s commitment to\n                     addressing security risks. The program should establish a framework and\n                     continuing cycle of activity for assessing risk, developing and implementing\n                     effective security procedures, and monitoring the effectiveness of these\n                     procedures. Without a well-designed program, security controls may be\n                     inadequate; responsibilities may be unclear, misunderstood, and improperly\n                     implemented; and, controls may be inconsistently applied.\n\n\n\n\nFinding 1            Further Actions are Needed toward Achieving Compliance with\n                     Federal Regulations\n\n                     While significant improvements have been made, OCIO/NITC was still not\n                     compliant with the requirements of Office of Management and Budget\n                     (OMB) Circular A-130 and other Federal security guidance. Specifically,\n                     OCIO/NITC had not (1) finalized contingency planning, (2) conducted risk\n                     assessments consistent with Federal requirements, (3) prepared security plans\n                     for each of its general support systems, (4) completed system certifications\n                     and accreditations for each of its general support systems, and (5) maintained\n                     a complete inventory of systems in its midrange environment. OCIO/NITC\n                     plans to have many of these areas corrected by fiscal year end as part of its\n                     certification and accreditation process, while others have been identified in its\n                     Plans of Action and Milestones. OCIO/NITC officials informed us that\n                     meeting the requirements of OMB Circular A-130 and National Institute of\n                     Standards and Technology (NIST) security guidelines involve major efforts\n                     and require time and resources to comply thoroughly. However, until these\n                     controls and documents are in place, OCIO/NITC cannot be assured of the\n                     confidentiality, integrity, and availability of its computer resources.\n\n                     OMB Circular A-130 established a minimum set of controls for agencies\xe2\x80\x99\n                     automated information security programs, including preparing security plans\n                     for major applications and general support systems, certifying to the security\n                     of any systems that maintain sensitive data, and establishing contingency\n                     plans and recovery procedures in the event of a disaster. OMB also requires\n                     agencies to maintain an inventory of the agency\xe2\x80\x99s major information systems.\n\n\n\n\nUSDA/OIG-A/88501-1-FM                                                                         Page 3\n\x0c                                   Contingency/Disaster Recovery Plans (DRP)\n\n                                   Based in part on the OIG\xe2\x80\x99s prior recommendations, OCIO/NITC completed\n                                   disaster recovery plans for its general support systems. Our review of those\n                                   plans disclosed that additional documentation is needed to meet Federal and\n                                   departmental guidelines.\n\n                                   OMB Circular A-130, Appendix III, requires the development and\n                                   maintenance of two types of contingency plans: (1) a continuity of support or\n                                   contingency plan that addresses the recovery of major applications and\n                                   support systems in the event of minor disruption, and (2) a disaster recovery\n                                   plan, (DRP) which as its name implies, applies to major, usually catastrophic,\n                                   events that deny access to the normal facility for an extended period.\n                                   Further, NIST2 emphasizes the Business Impact Analysis (BIA) as a key step\n                                   in the contingency planning process. The BIA enables the organization to\n                                   fully characterize the system requirements, processes, and interdependencies\n                                   and use this information to determine contingency requirements and priorities\n                                   for both short-term and long-term contingencies. Results from the BIA\n                                   should be appropriately incorporated into the analysis and strategy\n                                   development efforts for the organization\xe2\x80\x99s Continuity of Operations Plan\n                                   (COOP), Business Continuity Plan, and Business Resumption Plan.\n\n                                   OCIO/NITC has a COOP plan in place to address business continuity at the\n                                   highest level of the organization in a widespread emergency affecting the\n                                   metropolitan area. OCIO/NITC does not have continuity of support plans in\n                                   place to 1) address short-term versus long-term contingencies of a localized\n                                   nature and 2) address all of the various components of OCIO/NITC\xe2\x80\x99s\n                                   operations and how those components will be recovered in the event of a\n                                   limited contingency, such as a service interruption, as required by OMB\n                                   Circular A-130. Further, we found that OCIO/NITC had not performed a\n                                   BIA before preparing its disaster recovery plan for its general support system.\n                                   Finally, our review disclosed that the DRP for the Infrastructure Support\n                                   System, Sun General Support System (GSS), and Windows GSS did not\n                                   outline procedures for restoring operability of the target systems at an\n                                   alternate site after an emergency. Instead, the plans focus on reloading the\n                                   operating system in the event of system failure. Those plans do not address\n                                   steps to take if the OCIO/NITC facility is no longer accessible because of an\n                                   emergency.\n\n                                   Without effective, operable plans for those systems, OCIO/NITC cannot be\n                                   assured that it will be able to provide efficient automated processing services\n                                   to support its customers.\n\n\n2\n    SP 800-34, \xe2\x80\x9cContingency Planning Guide for IT Systems,\xe2\x80\x9d dated June 2002.\nUSDA/OIG-A/88501-1-FM                                                                                      Page 4\n\x0c                                Risk Assessments\n\n                                As part of the certification and accreditation efforts of OCIO/NITC, a\n                                contractor was hired to perform risk assessments of OCIO/NITC\xe2\x80\x99s GSS and\n                                major applications. Risk assessments had been performed on four midrange\n                                servers, the telecom components, the mainframe, and the Infrastructure\n                                Support Services (ISS). Despite these efforts, we found that risk assessments\n                                were performed without a BIA being performed first. According to CS-031,\n                                Risk Assessment Methodology, the first step in characterizing an IT system is\n                                to define the business case for the system. The business case defines the\n                                system\xe2\x80\x99s function and importance to the program and to USDA\xe2\x80\x99s overall\n                                mission. CS-031 also states that NIST SP 800-34 requires a BIA, which is\n                                also roughly equivalent to a business case. This BIA will also aid in the\n                                identification of the system\xe2\x80\x99s data needed for the next step of the process.\n                                According to NIST SP 800-34, the BIA helps to identify and prioritize\n                                critical IT systems and components. The NIST guidance states the BIA\n                                purpose is to correlate specific system components with the critical services\n                                that they provide, and based on that information, characterize the\n                                consequences of a disruption to the system components. Without the BIA\n                                being performed first, NITC cannot be assured that all system components\n                                and critical services provided by them were adequately identified, prioritized,\n                                and included in the risk assessment.\n\n                                Security Plans\n\n                                During our prior audit,3 we reported that OCIO/NITC had not completed\n                                security plans for its GSS, but had plans to complete them by September 30,\n                                2003. Progress had been made during the year to finalize many of its security\n                                plans; however, we found that security plans for its telecommunications\n                                network including routers, firewalls, intrusion detection system, and\n                                mainframe access software had not been completed. Until a security plan is\n                                completed for this GSS, OCIO/NITC cannot be assured that it has adequately\n                                addressed its security needs and that its security policies and practices have\n                                become an integral part of its operations. OCIO/NITC officials informed us\n                                that security plans have been prepared as part of its certification and\n                                accreditation process, which will be completed by September 30, 2004.\n                                Because OCIO/NITC has a corrective action plan in place to complete\n                                security plans, we will make no recommendation concerning this issue.\n\n                                System Certification and Accreditation\n\n                                OCIO/NITC has not completed system certifications and accreditations for its\n                                GSS. During fieldwork OCIO/NITC was in the process of completing these\n                                certifications in accordance with the Department\xe2\x80\x99s directives. NITC officials\n3\n Audit Report No. 88099-05-FM, \xe2\x80\x9cNational Information Technology Center General Controls Review - Fiscal Year 2003,\xe2\x80\x9d dated October\n2003.\nUSDA/OIG-A/88501-1-FM                                                                                                        Page 5\n\x0c                                 informed us that they intend to have their GSS certified and accredited by\n                                 September 2004; therefore, we will make no recommendation concerning this\n                                 issue.\n\n                                 Inventory\n\n                                 Homeland Security Presidential Directive 7, Critical Infrastructure\n                                 Identification, Prioritization, and Protection, dated December 17, 2003\n                                 requires all federal departments and agencies to identify, prioritize, and\n                                 protect their internal critical infrastructure and key resources. Consistent\n                                 with the Federal Information Security Management Act of 2002, agencies are\n                                 to identify and provide information security protections commensurate with\n                                 the risk and magnitude of the harm resulting from the unauthorized access,\n                                 use, disclosure, disruption, modification, or destruction of information.\n\n                                 During our review, we found that OCIO/NITC did not have an accurate\n                                 inventory of its midrange environment that included such vital information as\n                                 system name, owner/manager of the system, operating platform and IP\n                                 address.\n\n                                 According to NIST,4 when assessing risks for an IT system, the first step is to\n                                 define the scope of the effort. In this step, the boundaries of the IT system\n                                 are identified, along with the resources and the information that constitute the\n                                 system. Characterizing an IT system establishes the scope of the risk\n                                 assessment effort, delineates the operational authorization boundaries, and\n                                 provides information such as hardware, software, system connectivity, and\n                                 responsible division or support personnel that is essential to defining the risk.\n\n                                 Without an accurate inventory, OCIO/NITC cannot be assured that all\n                                 systems have been identified, risks on those systems have been assessed, and\n                                 security controls have been established over those systems.\n\nRecommendation No. 1\n\n                                 OCIO/NITC should establish a plan of action with specific milestone dates\n                                 toward updating its contingency plans to meet OMB requirements, and\n                                 completing business resumption plans and business impact analyses for all\n                                 components of OCIO/NITC\xe2\x80\x99s network and midrange environments.\n\nRecommendation No. 2\n\n                                 OCIO/NITC should implement controls to ensure that an inventory of\n                                 OCIO/NITC\xe2\x80\x99s midrange environment is maintained, including essential\n                                 information such as system name, owner/manager of the system, operating\n                                 platform and IP address.\n\n4\n    SP800-30, Risk Management Guide for Information Technology Systems\nUSDA/OIG-A/88501-1-FM                                                                                     Page 6\n\x0cFinding 2                         Stronger Controls Over Management and Configuration of\n                                  Midrange and General Support Systems are Needed\n\n                                  OCIO/NITC had not ensured that all midrange server security settings were\n                                  configured in accordance with departmental and NIST guidelines. Further,\n                                  OCIO/NITC needed to improve management over the routers and firewalls in\n                                  its GSS. This occurred because OCIO/NITC had not (1) established a policy\n                                  or implemented controls to require midrange systems and GSS to follow\n                                  OCIO or NIST configuration guidance, (2) finalized policies or standard\n                                  operating procedures for the midrange environment, and (3) ensured that\n                                  security staff played a significant role in establishing or monitoring security\n                                  over midrange and GSS. Further, OCIO/NITC assigned control over\n                                  administration and security to the systems administrators of the midrange\n                                  environment. As a result, data residing on these servers, as well as other\n                                  servers in the midrange environment were at risk of compromise.\n\n                                  Configuration management is essential in ensuring that system settings are\n                                  documented and configured in the best interest of performance and security\n                                  while ensuring that changes to systems are approved and do not inadvertently\n                                  affect the system security. Departmental5 and NIST6 guidance require that\n                                  agencies have formal configuration management processes in place. Further,\n                                  the Department and NIST have issued configuration checklists that should be\n                                  used by agencies to ensure proper security configurations are used. Finally,\n                                  OCIO/NITC has issued its own policies7 for identifying unused user accounts\n                                  on all its systems, and for limiting access to only those systems and data\n                                  necessary to perform their job duties.\n\n                                  Midrange Configuration Management\n\n                                  Our evaluation of OCIO/NITC\xe2\x80\x99s midrange8 environment included detailed\n                                  security reviews of 2 servers owned and managed by OCIO/NITC. Our\n                                  review disclosed that system administrators had not configured midrange\n                                  server security in accordance with departmental and NIST guidance.\n                                  Specifically, we found:\n\n\n5\n  Cyber Security guidance CS-009, \xe2\x80\x9cInterim Guidance on USDA Configuration Management,\xe2\x80\x9d dated October 15, 2001.\n6\n  NIST SP 800-12, \xe2\x80\x9cAn Introduction to Computer Security,\xe2\x80\x9d dated October 1995; and SP 800-43, \xe2\x80\x9cGuidance for Security Windows 2000,\xe2\x80\x9d\ndated November 2002.\n7\n  OCIO/NITC Security Directive SD 1-5, \xe2\x80\x9cLeast Privilege Policy,\xe2\x80\x9d dated March 26, 2003; Security Directive SD 5-1, \xe2\x80\x9cInactive Accounts,\xe2\x80\x9d dated\nMarch 12, 2003.\n8\n  Midrange is defined as a server system running a multi-user operating system with less computing power than a mainframe system, but\nmore computing power than an end-user system. Typically, these include Windows server-class operating systems, Unix servers from\nvarious vendors, and IBM AS400 servers.\nUSDA/OIG-A/88501-1-FM                                                                                                             Page 7\n\x0c                        \xe2\x80\xa2   Password security settings, such as password expiration and length,\n                            and access permissions did not always meet departmental and NIST\n                            guidelines;\n                        \xe2\x80\xa2   system users included generic accounts, guest accounts, and other\n                            accounts unidentifiable to employee lists;\n                        \xe2\x80\xa2   administrator and user rights did not always meet departmental and\n                            NIST guidelines;\n                        \xe2\x80\xa2   access Authorization did not exist for OCIO/NITC staff on midrange\n                            systems, and no periodic reconciliation was performed of user IDs on\n                            the midrange systems;\n                        \xe2\x80\xa2   excessive access rights were granted to directories and files;\n                        \xe2\x80\xa2   windows registry keys were not always configured in accordance to\n                            departmental and NIST guidelines;\n                        \xe2\x80\xa2   network services running were not configured to departmental and\n                            NIST guidelines; and\n                        \xe2\x80\xa2   current vendor-supplied patches had not been installed on the\n                            systems.\n\n                   OCIO/NITC officials acknowledged the weaknesses on its servers under their\n                   management control and began implementing corrective actions.\n\n                   Since security vulnerabilities on one midrange server have the potential to\n                   affect other midrange servers in its environment, we selected four additional\n                   servers to review. Our review included 2 servers owned by agencies, but\n                   partially managed by OCIO/NITC, and 2 servers owned and managed by the\n                   agencies. We found similar issues on these 4 servers and communicated\n                   those weaknesses to the appropriate agency managers, who began to take\n                   corrective actions.\n\n                   OIG recognizes that OCIO/NITC exercises different levels of management\n                   responsibility over its midrange environment.             For some systems,\n                   OCIO/NITC simply maintains physical security at its facilities, while others\n                   are managed entirely by OCIO/NITC staff. OIG also recognizes that it is\n                   ultimately the responsibility of the owner agency to ensure its systems are\n                   properly secure and in compliance with departmental and Federal security\n                   guidelines. However, OCIO/NITC needs to work with its customer agencies\n                   to ensure a balance between its role as a service provider and its\n                   responsibility to all of its customers to provide a secure operating\n                   environment and network. OCIO/NITC had issued security directive SD 1-3,\n                   \xe2\x80\x9cRequirements for Approval of System Operation,\xe2\x80\x9d dated March 2003, which\n                   requires the owner agencies to provide written approval to operate (also\n                   called accreditation), for every system in OCIO/NITC\xe2\x80\x99s environment. The\n                   Department initiated its certification and accreditation effort during this fiscal\n                   year to address a long-standing material weakness in that the Department and\n                   its agencies had not been accrediting its systems in accordance with OMB\n\nUSDA/OIG-A/88501-1-FM                                                                        Page 8\n\x0c                                Circular A-130. Most agencies will not have authorizations to operate until\n                                the end of the fiscal year; therefore, OCIO/NITC has been unable to enforce\n                                its policy. OCIO/NITC needs to ensure that it obtains these authorizations to\n                                operate as they become available for current systems, and that these\n                                authorizations are obtained for future systems that enter its environment.\n\n                                General Support System Configuration\n\n                                Routers and firewalls are significant components of OCIO/NITC\xe2\x80\x99s GSS.\n                                These components ensure that only authorized access is obtained from the\n                                departmental intranet and global Internet. OCIO/NITC has maintained its\n                                routers and firewalls adequately; however, improvements could be made to\n                                strengthen the configuration of these devices. Specifically, we found that:\n\n                                     \xe2\x80\xa2   Changes to routers did not follow OCIO/NITC\xe2\x80\x99s change control\n                                         process (see Finding No. 4);\n                                     \xe2\x80\xa2   routers were not configured to completely log all successful and\n                                         unsuccessful access attempts;\n                                     \xe2\x80\xa2   one router had an excessive number of virtual terminals configured;\n                                     \xe2\x80\xa2   firewall rules implemented before OCIO/NITC established its\n                                         configuration management policy were not thoroughly documented;\n                                     \xe2\x80\xa2   access authorization to firewalls was not documented;\n                                     \xe2\x80\xa2   OCIO/NITC had not obtained waivers, in accordance with\n                                         Department policy,9 for the use of certain non-secure protocols\n                                         though its firewalls; and\n                                     \xe2\x80\xa2   backup of firewall configurations were not being maintained off-site.\n\n                                OCIO/NITC personnel responsible for configuration of the routers and\n                                firewalls concurred with our observations and have begun to take corrective\n                                actions.\n\n\n                                Midrange Monitoring and Security Oversight\n\n                                OCIO/NITC does not have policies and procedures in place to ensure that the\n                                security staff monitors midrange systems. As noted above, we observed\n                                midrange systems that had not been configured to log security events. In\n                                cases where logging was activated, system administrators, not security staff,\n                                monitored the logs. For proper segregation of duties and effective security\n                                management, OCIO/NITC needs to establish policies and controls to ensure\n                                that midrange security logging is enabled and that security staff monitor those\n                                logs.\n\n\n9\n OCIO Cyber Security CS-012, \xe2\x80\x9cCyber Security Guidance Regarding Gateway and Firewall Technical Security Standards,\xe2\x80\x9d dated\nJanuary 22, 2002.\nUSDA/OIG-A/88501-1-FM                                                                                                       Page 9\n\x0c                                   Vulnerability Scanning\n\n                                   OCIO/NITC had not been conducting thorough vulnerability scanning on all\n                                   its routers. Further, while OCIO/NITC had conducted vulnerability scans on\n                                   its midrange system networks, OCIO/NITC officials only recently\n                                   implemented a control to notify agency Chief Information Officers when\n                                   vulnerabilities were not timely corrected. In fiscal year 2001, the Department\n                                   purchased a license to a commercial off-the-shelf software package that\n                                   identified vulnerabilities in operating systems that use Transmission Control\n                                   Protocol/Internet Protocol (TCP/IP). The Department implemented a policy\n                                   that required the use of this software to scan all systems at least monthly.10\n                                   This policy also requires all agencies to maintain a complete inventory of all\n                                   its networks and systems. Based in part on our audits, OCIO/NITC began\n                                   scanning all midrange systems for its customers; however our current review\n                                   disclosed that OCIO/NITC had not been scanning its routers, which can also\n                                   be subject to TCP/IP vulnerabilities.\n\nRecommendation No. 3\n\n                                   OCIO/NITC should develop a strategic plan with specific milestone dates for\n                                   establishing policies and procedures to address the midrange security\n                                   weaknesses we identified, and increased security involvement in the\n                                   midrange environment.\n\nRecommendation No. 4\n\n                                   OCIO/NITC should develop a control to ensure that it obtains authorization\n                                   to operate from system owner agencies for all systems in its operating\n                                   environment.\n\nRecommendation No. 5\n\n                                   OCIO/NITC should develop a control to ensure that router and firewall\n                                   configurations are properly maintained, documented, and that backup\n                                   configurations are stored off-site.\n\nRecommendation No. 6\n\n                                   OCIO/NITC should develop a control to ensure it conducts thorough\n                                   vulnerability scanning of its routers.\n\n\n\n\n10\n     OCIO Cyber Security, CS-007, \xe2\x80\x9cSecurity Vulnerability Scan Procedures,\xe2\x80\x9d issued September 2001.\nUSDA/OIG-A/88501-1-FM                                                                                   Page 10\n\x0cSection 2. Mainframe Access Controls\n\n\n\n\nFinding 3                       Mainframe Access Controls Have Significantly Improved but\n                                Additional Actions are Needed\n\n                                OCIO/NITC has made significant improvements over logical access controls\n                                in its mainframe environment; however, further actions are needed to ensure\n                                the confidentiality and integrity of its IT resources.             Specifically,\n                                OCIO/NITC had not completed implementation of procedures to ensure (1)\n                                waivers were obtained for user accounts with non-expiring passwords, (2)\n                                policies and procedures outlining monitoring of security logs were\n                                implemented, (3) global system settings were fully documented, and (4)\n                                access from the Internet were properly secured. While OCIO/NITC has\n                                made significant progress to address these issues as discussed below, not all\n                                of the necessary controls were in place throughout the year to ensure the\n                                confidentiality and integrity of its IT resources. Until stronger controls over\n                                access are in place, OCIO/NITC resources are vulnerable to potential fraud\n                                and misuse, inappropriate disclosure, and potential disruption.\n\n                                OMB11 stresses the need for management controls affecting users of IT to\n                                protect the integrity, availability, and confidentiality of information by\n                                restricting access to only authorized users. OMB also stresses that individual\n                                accountability is normally accomplished by identifying and authenticating\n                                users of the system and subsequently tracing actions on the system to the user\n                                who initiated them. Both OMB and NIST12 stress the need for agencies to\n                                implement the \xe2\x80\x9cleast privilege\xe2\x80\x9d concept, granting users only those accesses\n                                required to perform their duties. Departmental Manual (DM)13 requires\n                                security staff to remove employee user identifications (ID) and passwords\n                                when the employee is no longer with the agency.\n\n                                User Accounts\n\n                                We continue to find an excessive number of user IDs that have non-expiring\n                                passwords. As reported last year, one agency is responsible for a majority of\n                                these user IDs. As of the end of our fieldwork, OCIO/NITC had not obtained\n                                the waiver from agency management documenting why these IDs needed\n                                passwords that did not expire. OCIO/NITC has begun to obtain waivers for\n                                newly created IDs with non-expiring passwords; however our test sample of\n                                14 newly created IDs found that OCIO/NITC did not have waivers for 3 of\n\n11\n   OMB Circular A-130, Appendix III, Section A, November 30, 2000.\n12\n   NIST Special Publication 800-18, \xe2\x80\x9cGuide for Developing Security Plans for Information Technology Systems,\xe2\x80\x9d dated December 1998.\n13\n   DM 3140-1.6, part 6 of 8, Section 6c, \xe2\x80\x9cManagement ADP Security Manual,\xe2\x80\x9d July 19, 1984.\nUSDA/OIG-A/88501-1-FM                                                                                                   Page 11\n\x0c                                  them. OCIO/NITC needs to implement an effective process for obtaining\n                                  and maintaining these waivers.\n\n                                  Security Software Global System Settings\n\n                                  Based on our prior audit recommendations, OCIO/NITC has begun, but has\n                                  not completed, its review and documentation of its security software\xe2\x80\x99s global\n                                  system settings. Global system settings define how the network-wide\n                                  security software operates within the mainframe environment, such as\n                                  resource access control settings, user activity logs for IDs with special\n                                  privileges, and logs of profile changes. While there are no \xe2\x80\x98required\xe2\x80\x99 global\n                                  system settings, manufacturer and industry standard settings should be used\n                                  to facilitate the most effective and secure computing environment. At a\n                                  minimum, OCIO/NITC should document its global system settings and\n                                  justify those settings when they do not conform to manufacturer or industry\n                                  standard suggestions. Deviation from these standards may be appropriate\n                                  since each operating environment is unique; however, without adequate\n                                  documentation it is impossible to validate whether global system parameters\n                                  are adequately configured and tested to maintain the integrity of the security\n                                  software.\n\n                                  Monitoring Access\n\n                                  OCIO/NITC is still in the process of establishing written policies and\n                                  procedures outlining what (1) logs/reports will be reviewed, (2) actions will\n                                  be taken for different security violations, (3) security violations will be\n                                  investigated, or (4) supporting documentation will be created and maintained\n                                  supporting any investigations. In part due to a recommendation made in last\n                                  year\xe2\x80\x99s report, OCIO/NITC is in the process of developing system security log\n                                  review standards.       Until these standards have been finalized and\n                                  implemented, OCIO/NITC management cannot be assured that security\n                                  violations are properly and consistently identified, and that followup is\n                                  adequately carried out. Because OCIO/NITC is in the process of completing\n                                  corrective action, we will not make additional recommendations on this issue.\n\n                                  System audit logs would provide management with valuable information\n                                  about activity on its computer systems, including a review and analysis of\n                                  management, operational, and technical controls. OMB14 states that\n                                  identifying and authenticating system users, and subsequently tracing actions\n                                  on the system to the users who initiated them normally accomplishes\n                                  accountability. In addition, DM 3140-1.315 requires maintaining access logs\n                                  sufficient to permit reconstruction of events in case of unauthorized data or\n                                  program access or use. Security/access control software should be used to\n\n14\n     OMB Circular A-130, Appendix III, Section B (a)(2)(c), November 30, 2000.\n15\n     DM 3140-1.3, \xe2\x80\x9cManagement ADP Security Manual,\xe2\x80\x9d Part 3 of 8, Section 16, July 19, 1984.\nUSDA/OIG-A/88501-1-FM                                                                                  Page 12\n\x0c                   maintain an audit trail of security accesses to determine how, when, and by\n                   whom specific actions were taken. Such information is critical in monitoring\n                   compliance with security policies and when investigating security incidents.\n\n                   Because the audit trail information is likely to be too voluminous to review\n                   on a routine basis, procedures should be implemented to selectively identify\n                   unauthorized, unusual, and sensitive access activity. It is important that an\n                   entity have formal written procedures for reporting security violations or\n                   suspected violations to a central security management office so that multiple\n                   related incidents can be identified, others can be alerted to potential threats,\n                   and appropriate investigations can be performed. Without prompt and\n                   appropriate responses to security incidents, violations could continue to occur\n                   and cause damage to an entity\xe2\x80\x99s resources indefinitely. Further, violators will\n                   not be discouraged from continuing inappropriate access activity, which\n                   could result in financial losses and disclosure of confidential information.\n                   Because OCIO/NITC is in the process of addressing our prior\n                   recommendation, we make no further recommendation in this report.\n\n                   Mainframe Access From the Internet\n\n                   OCIO/NITC is still in the process of working with its customers to encrypt all\n                   access to its mainframe, a process that began in September 2003 and was\n                   originally scheduled to be completed by January 2004. According to\n                   OCIO/NITC officials, this was the final step toward securing access to\n                   OCIO/NITC network resources from the Internet. OCIO/NITC customers\n                   need to implement changes on their networks before this process can be\n                   finalized. Until this process is complete, we consider this to be a material\n                   internal control weakness that OCIO/NITC needs to address.           Because\n                   OCIO/NITC is in the process of addressing our prior recommendation, we\n                   are making no further recommendations on this issue in this report.\n\n\nRecommendation No. 7\n\n                   OCIO/NITC should develop controls to ensure that waivers are obtained and\n                   maintained for all accounts that have non-expiring passwords.\n\n\nRecommendation No. 8\n\n                   OCIO/NITC should establish a plan with milestone dates on when it plans to\n                   finalize its documentation of global system settings and have those settings\n                   documented in its security plan.\n\n\n\n\nUSDA/OIG-A/88501-1-FM                                                                     Page 13\n\x0cSection 3.           System Change Controls\n\n\n\n\nFinding 4                          Change Control Improvements Need to be Finalized and\n                                   Implemented\n\n                                   OCIO/NITC continues to improve its system change management process.\n                                   However, we continued to find that approval, testing, and implementation\n                                   documentation was not always maintained. While this condition was more\n                                   prevalent in OCIO/NITC\xe2\x80\x99s midrange system environment, improvements\n                                   over changes to its mainframe environment are still needed. Despite its own\n                                   policies to document approval, testing, and implementation, OCIO/NITC had\n                                   not documented what changes had been approved, or established controls to\n                                   ensure that change control procedures were being properly carried out.\n                                   Without proper change management controls, OCIO/NITC\xe2\x80\x99s systems are at\n                                   risk of processing irregularities that could occur or security features that\n                                   could be inadvertently or deliberately omitted or rendered inoperable.\n\n                                   OCIO/NITC has formalized change control policies16 in place that govern the\n                                   request, approval, testing, and implementation phases of the change control\n                                   process. According to NIST,17 it is important to document the proposed or\n                                   actual changes to the information system and to subsequently determine the\n                                   impact of those proposed or actual changes on the security of the system.\n                                   Information systems will typically be in a constant state of migration with\n                                   upgrades to hardware, software, or firmware and possible modifications to\n                                   the surrounding environment where the system resides. Changes to an\n                                   information system can have a significant impact on the security of the\n                                   system. Documenting information system changes and assessing the\n                                   potential impact on the security of the system on an ongoing basis is an\n                                   essential aspect of maintaining the security accreditation. Ensuring adequate\n                                   consideration of the potential security impacts due to specific changes to an\n                                   information system or its surrounding environment requires an effective\n                                   agency configuration management and control policy and associated\n                                   procedures.\n\n                                   In our two prior years\xe2\x80\x99 audits, we found that new system software versions or\n                                   modifications to existing software were not properly authorized, tested, or\n                                   logged. While most of the discrepancies in this year\xe2\x80\x99s audit were found in\n                                   the OCIO/NITC\xe2\x80\x99s midrange system environment, we noted instances where\n                                   changes were made in the mainframe environment that had not been properly\n                                   approved. Below are a few of the discrepancies we identified in the\n                                   mainframe and midrange platforms:\n\n16\n     OCIO/NITC \xe2\x80\x9cChange Management Handbook,\xe2\x80\x9d dated August 19, 2003.\n17\n     NIST SP 800-37, \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal Information Systems,\xe2\x80\x9d dated May 2004.\nUSDA/OIG-A/88501-1-FM                                                                                                           Page 14\n\x0c                   Mainframe\n\n                        \xe2\x80\xa2   Changes recorded in OCIO/NITC\xe2\x80\x99s management information system\n                            had been implemented without evidence that the change was\n                            approved.\n\n                        \xe2\x80\xa2   While OCIO/NITC officials informed us that testing of approved\n                            changes had been done before implementing them into production,\n                            OCIO/NITC had not maintained documentation showing the testing\n                            had been completed.\n\n                   Midrange\n\n                        \xe2\x80\xa2   OCIO/NITC personnel were not following formalized change control\n                            procedures for OCIO/NITC managed midrange servers.\n\n                        \xe2\x80\xa2   OCIO/NITC had not always documented contact with agency-owners\n                            when making changes to systems managed by OCIO/NITC.\n\n                        \xe2\x80\xa2   Emergency changes were not always authorized or approved as\n                            required by OCIO/NITC policy.\n\n                        \xe2\x80\xa2   Documentation that testing of changes occurred was not always\n                            maintained.\n\n                   During last year\xe2\x80\x99s audit, OCIO/NITC began to address the system software\n                   change control issues at the close of our prior audit by revising its directives\n                   related to change management and reengineering the change control process.\n                   OCIO/NITC recently conducted its own internal review of the accuracy of its\n                   change control database to ensure that it accurately reflected approved and\n                   implemented changes. Further, OCIO/NITC modified its database by adding\n                   an automated control that would not allow a change record to be closed\n                   without first being coded as approved. Despite these actions, however,\n                   OCIO/NITC needs to make a concerted effort to continue making\n                   improvements to implement sound change control practices.\n\nRecommendation No. 9\n\n                   OCIO/NITC needs to establish controls to ensure its change management\n                   process includes adequate documentation of approval, testing and\n                   implementation.\n\n\n\n\nUSDA/OIG-A/88501-1-FM                                                                     Page 15\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                     Exhibit A \xe2\x80\x93 Page 1 of 10\n\nThe objectives of our examination were to perform testing necessary to express an opinion about (1)\nwhether the control objectives and techniques identified in this exhibit present fairly, in all material\nrespects, the aspects of the OCIO/NITC\xe2\x80\x99s policies and procedures in place for the period October 1,\n2003 through August 31, 2004, (2) whether the control structure of policies and procedures was\nsuitably designed to provide reasonable assurance that the specified control objectives were complied\nwith satisfactorily, and (3) the operating effectiveness of the specified control structure policies and\nprocedures in achieving specified control objectives.\n\nThis report is intended to provide users of OCIO/NITC with information about the control structure\npolicies and procedures at OCIO/NITC that may affect the processing of user organizations\xe2\x80\x99\ntransactions and also to provide users with information about the operating effectiveness of the policies\nand procedures that were tested. This report, when combined with an understanding and assessment of\nthe internal control structure policies and procedures at user organizations, is intended to assist user\nauditors in (1) planning the audit of user organizations\xe2\x80\x99 financial statements, and (2) in assessing\ncontrol risk for assertions in user organizations\xe2\x80\x99 financial statements that may be affected by policies\nand procedures at OCIO/NITC.\n\nOur testing of OCIO/NITC\xe2\x80\x99s control structure policies and procedures was restricted to the control\nobjectives and the related policies and procedures listed in the matrices in this exhibit. Our testing was\nnot intended to apply to any other procedures described in OCIO/NITC\xe2\x80\x99s Service Center Description\nand Internal Controls Framework, that were not included in the aforementioned matrices or to\nprocedures that may be in effect at user organizations.\n\nOur review was performed through inquiry of key OCIO/NITC personnel, observation of activities,\nexamination of relevant documentation and procedures, and tests of controls. We also followed up on\nknown control weaknesses identified in prior OIG audits. We performed such tests as we considered\nnecessary to evaluate whether the operating and control procedures described by OCIO/NITC and the\nextent of compliance with them are sufficient to provide reasonable, but not absolute, assurance that\ncontrol objectives are achieved.\n\nThe description of the tests of operating effectiveness and the results of those tests are included in the\nfollowing section of this report.\n\n\n\n\nUSDA/OIG-A/88501-1-FM                                                                              Page 16\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                         Exhibit A \xe2\x80\x93 Page 2 of 10\n     CONTROL                        CONTROL\n     OBJECTIVE                     TECHNIQUES                      TESTS PERFORMED                        CONCLUSION\n1.   Define and             a.   The OCIO/NITC relies on         We reviewed OCIO/NITC              The control structure policies\n     communicate                 Department policy, in most      policies and procedures,           and procedures on the whole\n     OCIO/NITC                   matters, and provides hard      internal Administrative            were suitably designed to\n     organizational              copy and electronic access.     Directives, Security Directives,   achieve the control objective\n     structure, policies,   b.   When Department policy          and policies and procedures to     specified, but were not\n     and procedures.             does not provide adequate       ensure:                            operating effectively.\n                                 guidance on administrative      1) Departmental policies had\n                                 issues, OCIO/NITC issues             been taken into account       We noted problem/change\n                                 internal Administrative         2) They are revised, updated,      management directives were\n                                 Directives, which define             and changed when              not being followed (See\n                                 administrative policies and          necessary.                    Finding 4.)\n                                 procedures.                     3) They were documented\n                            c.   Policy manuals, procedure            and appropriate.              Vulnerability scan procedures\n                                 manuals, and Administrative                                        were not being followed\n                                 Directives are made             We reviewed the organization       (Finding 2.)\n                                 available in electronic and     structure, and responsibilities\n                                 hard copy form, and are used    of the OCIO/NITC divisions to      We identified 6 security\n                                 by personnel.                   ensure they were documented        directives that had not been\n                            d.   The OCIO/NITC                   and appropriate.                   finalized, as well as numerous\n                                 organizational structure and                                       Standard Operating Procedures\n                                 the responsibilities of the                                        (SOPs) for the midrange\n                                 OCIO/NITC divisions are                                            environment that had not been\n                                 well documented and                                                finalized. (See Finding 2.)\n                                 understood.\n                            e.   Division responsibilities,                                         We found the organizational\n                                 services, and procedures are                                       structure policies and\n                                 documented.                                                        procedures were not suitably\n                            f.   Adequate supervisory and                                           designed to achieve the control\n                                 approval levels exist in each                                      objective specified because\n                                 OCIO/NITC functional area.                                         responsibilities for the\n                                                                                                    midrange environment were\n                                                                                                    not clearly defined, nor\n                                                                                                    adequately documented, and\n                                                                                                    OCIO/NITC security staff did\n                                                                                                    not provide oversight of the\n                                                                                                    midrange environment.\n                                                                                                    (Finding 2.)\n\n\n\n\nUSDA/OIG-A/88501-1-FM                                                                                                           Page 17\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                     Exhibit A \xe2\x80\x93 Page 3 of 10\n     CONTROL                      CONTROL\n     OBJECTIVE                   TECHNIQUES                      TESTS PERFORMED                      CONCLUSION\n2.   Segregate duties    a.   The OCIO/NITC is not             We reviewed NITC level of        The control structure policies\n     between the              responsible for Agency user      service for various              and procedures were not\n     specialized staff        operations or user,              servers/customers.               suitably designed to achieve the\n     as much as               application, or data controls.                                    control objective specified and\n     practical.          b.   The responsibilities of the      We tested duties performed by    controls were not operating\n                              OCIO/NITC staff and of the       NITC system administrators on    effectively.\n                              users of OCIO/NITC               both NITC owned and\n                              services are clearly             customer systems.                We found:\n                              differentiated.                                                   OCIO/NITC did not have an\n                         c.   Separate duties are defined      We reviewed SOPs and             inventory of servers in their\n                              for the various technical        directives for policy and        midrange environment nor\n                              specialties.                     procedures related to            clear identification for\n                         d.   OCIO/NITC personnel are          assignment of duties to NITC     ownership and management of\n                              prohibited from originating,     personnel.                       those servers. (See Finding 1.)\n                              changing, or correcting user\n                              input or data, unless so         We reviewed changes to           NITC security staff did not\n                              requested.                       agency systems performed by      provide oversight of the\n                         e.   Separation of duty is            NITC personnel.                  midrange environment.\n                              enforced through access                                           Instead, personnel\n                              rules within the security        We reviewed access to critical   administering the systems were\n                              software whenever practical      operating system software data   also responsible for oversight.\n                              and consistent with user         sets and compared settings to    (See Finding 2.)\n                              requirements.                    best practice standards.\n                                                                                                Changes were made to\n                                                               We reviewed user IDs with        customers\xe2\x80\x99 system software\n                                                               special access privileges.       without evidence of customer\n                                                                                                approval. (See Finding 4.)\n                                                               We reviewed system settings\n                                                               and user rights on selected      OCIO/NITC should develop\n                                                               midrange environment servers.    and implement controls\n                                                                                                associated with the\n                                                                                                configuration of access rules\n                                                                                                and the lack of efficient user\n                                                                                                grouping to prevent the\n                                                                                                assignment of unintended user\n                                                                                                access privileges. (See Finding\n                                                                                                2.)\n\n                                                                                                Appropriate access permissions\n                                                                                                were not assigned on NITC-\n                                                                                                managed servers to protect\n                                                                                                critical system files and\n                                                                                                directories, including the root\n                                                                                                directory. (See Finding 2.)\n\n\n\n\nUSDA/OIG-A/88501-1-FM                                                                                                       Page 18\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                      Exhibit A \xe2\x80\x93 Page 4 of 10\n     CONTROL                       CONTROL\n     OBJECTIVE                    TECHNIQUES                     TESTS PERFORMED                       CONCLUSION\n3.   Apply appropriate    a.   OCIO/NITC management            We reviewed policies and          The control structure policies\n     controls to the           and contracting agency          procedures to ensure that         and procedures were not\n     system                    development involvement is      departmental policies were        suitably designed to achieve the\n     development               required prior to the design,   considered. We reviewed           control objective specified.\n     lifecycle.                development, testing, and       internal Administrative\n                               conversion of new or            Directives and policies and       No controls exist to require\n                               modified application            procedures to ensure that they    security staff oversight of the\n                               systems.                        are revised, updated, and         midrange environment. (See\n                          b.   The modification or             changed when necessary and        Finding 2.)\n                               installation of systems         were properly implemented.\n                               software requires the                                             Security patches/fixes were not\n                               approval of OCIO/NITC           We reviewed software change       being applied to the Midrange\n                               management.                     control procedures to determine   servers as needed. (See Finding\n                          c.   The installation/modification   if software changes received      2.)\n                               of midrange server operating    documented authorization,\n                               systems hardware and            review, and approval before       Change management controls\n                               software. Monitor security      implementation.                   were not operating effectively.\n                               via COTS SW. Research                                             (See Finding 4.)\n                               security patches, fixes and     We reviewed system\n                               virus alerts.                   configurations in the midrange\n                                                               environment\n\n                                                               We reviewed software changes\n                                                               to determine if testing is\n                                                               performed before changes are\n                                                               made to the systems.\n4.   Provide              a.   Test results are documented     We reviewed policies and          The control structure policies\n     reasonable                and approved by the             procedures to ensure that         and procedures were suitably\n     assurance that            contracting customer before     departmental policies were        designed to achieve the control\n     new or modified           acceptance of a new system.     considered. We reviewed           objective specified. However,\n     applications         b.   Customers are involved in       internal Administrative           change management controls\n     systems and data          preparing the test data.        Directives and policies and       were not operating effectively.\n     files are properly   c.   As applicable, testing is       procedures to ensure that they    (See Finding 4.)\n     converted and             performed on all interrelated   are revised, updated, and\n     implemented.              systems to evaluate the         changed when necessary and\n                               integrity of those systems.     were properly implemented.\n\n                                                               We reviewed software changes\n                                                               to determine if testing is\n                                                               performed before changes are\n                                                               made to the systems.\n\n\n\n\nUSDA/OIG-A/88501-1-FM                                                                                                         Page 19\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                          Exhibit A \xe2\x80\x93 Page 5 of 10\n     CONTROL                       CONTROL\n     OBJECTIVE                    TECHNIQUES                        TESTS PERFORMED                        CONCLUSION\n5.   Provide              a.   Authorization and approval         We reviewed software change        The control structure policies\n     reasonable                is required before                 policies to determine if           and procedures were not\n     assurance that all        modifications are made to          adequate controls existed over     suitably designed to achieve the\n     software changes          the network, midrange              modifications to the network,      control objective specified\n     are appropriately         server, OA/LAN and                 midrange servers and               because controls did not exist\n     reviewed and              mainframe operating systems        mainframe operating systems.       to ensure written\n     authorized.               or software applications.                                             documentation existed to\n                          b.   Operational personnel are          We reviewed INFOMAN                support changes approved by\n                               not involved in changes to         (OCIO/NITC\xe2\x80\x99s Management            the Change Configuration\n                               the operating system               Information System) records to     Board.\n                               (mainframe or midrange             determine if software changes\n                               server) or user applications.      were documented and approved       Approval was not always\n                          c.   There is thorough                  before modification.               obtained before software\n                               supervision and review of all                                         modifications were performed.\n                               changes.                           We reviewed change/problem         (See Finding 4.)\n                          d.   Problems and change                records in MIRT\n                               requests to the operating          (OCIO/NITC\xe2\x80\x99s Midrange              Emergency changes were not\n                               system and software                Installation Review Team           always authorized or approved\n                               controlled by the                  System) and INFOMAN to             as required by OCIO/NITC\n                               OCIO/NITC are tracked              ensure all changes are tracked     policies. (See Finding 4.)\n                               using manual and automated         and provide an audit trail of\n                               systems that provides an           changes.                           Testing of changes was not\n                               audit trail of system changes.                                        always performed before being\n                          e.   Operating systems and              We reviewed change records to      put into the production\n                               systems software changes           determine if changes were          environment. (See Finding 4.)\n                               are tested to ensure that they     tested before being added to the\n                               operate properly and provide       production environment.            Not all changes were recorded\n                               necessary functionality.                                              into INFOMAN. (See Finding\n                          f.   Modified or new software is                                           4.)\n                               not installed until installation\n                               plans have been reviewed by\n                               the respective Branch Chiefs\n                               and approved by the Change\n                               Management Review Team.\n\n\n\n\nUSDA/OIG-A/88501-1-FM                                                                                                            Page 20\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                        Exhibit A \xe2\x80\x93 Page 6 of 10\n     CONTROL                        CONTROL\n     OBJECTIVE                     TECHNIQUES                      TESTS PERFORMED                       CONCLUSION\n6.   Conduct the           a.   Document current                 We reviewed OCIO/NITC\xe2\x80\x99s           The control structure policies\n     planning activities        OCIO/NITC controls, and          internal controls framework       and procedures were not\n     needed to provide          identify required new            and evaluated various plans       suitably designed to achieve the\n     reasonable                 controls.                        such as OCIO/NITC\xe2\x80\x99s Security      control objective specified\n     assurance that the    b.   To the degree possible, plan     Plans, contingency plans, and     because planning activities\n     OCIO/NITC will             how the OCIO/NITC will           system accreditations.            were informal and\n     meet functional            meet future Information                                            undocumented, and\n     and control                System requirements.             We interviewed OCIO/NITC          OCIO/NITC has not complied\n     requirements.                                               personnel to determine future     with OMB Circular A-130\n                                                                 plans for securing OCIO/NITC      requirements. (See Finding 1.)\n                                                                 various platforms.\n7.   Access to the         a.   Software system specialists      We reviewed system logging        The control structure policies\n     operating system,          are prohibited from              policies and procedures.          and procedures were not\n     associated                                                                                    suitably designed to achieve the\n                                initializing the operating\n     software and                                                We reviewed system logs,          control objective as shown\n     documentation is           system.                          change management policies        below:\n     restricted to         b.   Operational personnel are        and procedures, and recently\n     authorized                 prohibited from making           completed INFOMAN records.        No written policies and\n     personnel.                 modifications to the                                               procedures exist to outline what\n                                operating system and             We reviewed policies and          system logs to review for the\n                                                                 procedures for special system     mainframe and what actions to\n                                software. OA/LAN is\n                                                                 privileges. We reviewed user      take for various security\n                                administered per MOU and         IDs with these accesses. We       violations. (See Finding 3.)\n                                security staff oversight.        interviewed OCIO/NITC\n                           c.   Automated and manual             security staff to determine how   Not all servers in the midrange\n                                procedures are used to track     these user IDs are monitored.     were logging system access.\n                                all significant mainframe        We determined if forms were       For those servers with logging\n                                operating system and             completed for user IDs with       enabled, review of the logs was\n                                                                 high-level system privileges.     responsibility of system\n                                software modifications, as\n                                                                                                   administrators. (See Finding 2.)\n                                well as other significant        We attempted to review written\n                                changes to other                 access authorizations for         Implementation of its\n                                OCIO/NITC infrastructure         persons with system               reengineered change control\n                                components.                      administrator duties in the       process has not been\n                           d.   System privileges that           midrange environment.             completed. (See Finding 4)\n                                bypass normal system\n                                controls are allowed only                                          Written access authorizations\n                                when necessary and                                                 did not exist for system\n                                requested by the appropriate                                       administrators in the midrange\n                                supervisor in writing, and are                                     environment. (See Finding 2.)\n                                logged and/or closely\n                                monitored.                                                         Special access privilege\n                                                                                                   policies had been updated but\n                                                                                                   not yet implemented because\n                                                                                                   not all user IDs with special\n                                                                                                   access privileges had approval\n                                                                                                   forms on file. (See Finding 3.)\n\n\n\n\nUSDA/OIG-A/88501-1-FM                                                                                                            Page 21\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                      Exhibit A \xe2\x80\x93 Page 7 of 10\n     CONTROL                      CONTROL\n     OBJECTIVE                   TECHNIQUES                     TESTS PERFORMED                        CONCLUSION\n8.   Provide             a.   Access to resources and data    We reviewed critical data sets     The control structure policies\n     reasonable               files is limited by security    to determine if user IDs           and procedures were suitably\n     assurance that           software to those required to   accessing these data sets were     designed to achieve the control\n     operations staff         do their work.                  being logged.                      objective specified; however,\n     operates            b.   On most USDA systems,                                              the controls had not been\n     automated                critical and repetitive         Reviewed documentation and         placed into operation.\n     equipment in             operations to maintain          INFOMAN records to\n     accordance with          systems are automated using     determine if the MAINT             System activities on the\n     the management           CA-7 and OPS/MVS.               (maintenance) privileges had       midrange servers were not\n     criteria.                                                been utilized in a manner to       always being logged, and when\n                                                              effectively limit its user to      logging did occur, system\n                                                              predefined, routine system         administrators reviewed the\n                                                              management activities.             logs. (See Finding 2.)\n\n                                                              We reviewed system                 Although OCIO/NITC had\n                                                              configuration in the midrange      reduced its usage of the\n                                                              environment to determine if        MAINT privilege, its usage has\n                                                              logging is maintained on the       not been reduced to restrict its\n                                                              servers.                           use for only routine system\n                                                                                                 management activities. (See\n                                                                                                 Finding 3.)\n9.   Provide             a.   Access to the operations area   We reviewed and observed           The control structure policies\n     reasonable               and office is physically        access to critical resources and   and procedures were suitably\n     assurance that           restricted through the use of   the use of guards, key badges,     designed to achieve the control\n     equipment is used        a key badge system.             and biometric devices utilized     objective specified, had been\n     by authorized       b.   Policies and procedures         to control access to restricted    placed into operation, and were\n     persons following        ensure that access to the       areas.                             operating effectively.\n     prescribed               Operations area is highly\n     procedures.              restricted. This includes       Reviewed documentation that\n                              midrange server activities.     NITC recertified individuals\n                                                              who require access to sensitive\n                                                              areas based on job function.\n\n                                                              Reviewed provisions in\n                                                              Directive A-8\n\n                                                              Reviewed physical access to\n                                                              consoles to ensure access\n                                                              limited to only those\n                                                              individuals that require it to\n                                                              perform their job.\n\n                                                              Reviewed configuration\n                                                              consoles to allow only the\n                                                              functions necessary to support\n                                                              NITC operations.\n\n\n\n\nUSDA/OIG-A/88501-1-FM                                                                                                        Page 22\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                    Exhibit A \xe2\x80\x93 Page 8 of 10\n  CONTROL                    CONTROL\n  OBJECTIVE                 TECHNIQUES                     TESTS PERFORMED                          CONCLUSION\n10. USDA: Provide    a.   TSO and batch access to        We reviewed related policies       The control structure policies and\n    reasonable            resources and data files is    and procedures and security        procedures were not designed to\n    assurance that        controlled through             software access controls over      achieve the control objective\n    only approved         management controls and the    inactive user IDs.                 specified.\n    users have            use of the security package\n    access to             CA-ACF2. This also covers      We reviewed user IDs that have     Unsecured access to the NITC\n    OCIO/NITC,            midrange server and            not been used for an extended      mainframe is still being allowed\n    and that they         OA/LAN responsibilities.       period of time and password        via the Internet. (See Finding 3.)\n    are accessing    b.   OCIO/NITC suspends or          settings to ensure adequate\n    and processing        deletes logon IDs that have    controls have been                 For midrange servers and\n    only within           been inactive for designated   implemented over user IDs and      firewalls, a policy had not been\n    approved              periods of time monthly.       passwords.                         established to ensure only\n    boundaries.      c.   CA-ACF2 is used to control                                        authorized users had access, nor\n                          user Logon-IDs and             We reviewed related policies       established a policy for review of\n                          passwords.                     and procedures and security        user access to the system. (See\n                     d.   The OCIO/NITC creates          software access controls over      Finding 2.)\n                          only those LIDs requested by   special privilege user IDs.\n                          an Agency Security Officer.                                        Agencies were not complying\n                     e.   Special privileges must be     We reviewed policies and           with OCIO/NITC\xe2\x80\x99s policies and\n                          requested and approved by      procedures, reviewed firewall      procedures to obtain waivers for\n                          the appropriate ISSPMs or      rules and tested access controls   using passwords set to never\n                          management officials.          over firewalls.                    expire, nor did they follow the\n                     f.   Firewalls and intrusion                                           policy for changing passwords.\n                          detection control and detect   We reviewed access controls        (See Finding 3.)\n                          activity.                      over TSO accounts.\n                                                                                            Weaknesses identified in the\n                                                         We reviewed policies and           midrange environment (See\n                                                         procedures and tested access       Finding 2) include:\n                                                         controls over routers.             \xe2\x80\xa2    Password security settings\n                                                                                                 and access permissions did\n                                                         We tested user rights to ensure         not always meet\n                                                         users were able to access only          departmental and NIST\n                                                         areas associated with their             guidelines;\n                                                         assigned responsibilities.         \xe2\x80\xa2    User accounts comprised of\n                                                                                                 generic accounts, guest\n                                                         We reviewed system                      accounts, and other accounts\n                                                         configurations to ensure                unidentifiable to employee\n                                                         settings did not allow excessive        lists;\n                                                         user privileges.                   \xe2\x80\xa2    Administrator accounts and\n                                                                                                 user rights did not always\n                                                                                                 meet departmental and NIST\n                                                                                                 guidelines; and,\n                                                                                            \xe2\x80\xa2    Excessive access rights were\n                                                                                                 granted to directories and\n                                                                                                 files.\n\n\n\n\nUSDA/OIG-A/88501-1-FM                                                                                                       Page 23\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                     Exhibit A \xe2\x80\x93 Page 9 of 10\n  CONTROL                      CONTROL\n  OBJECTIVE                   TECHNIQUES                      TESTS PERFORMED                        CONCLUSION\n11. Data files are     a.   Agency Security Officers are    We performed testing in          The control structure policies and\n    adequately              responsible for identifying     NITC\xe2\x80\x99s midrange environment      procedures were suitably\n    protected from          critical user files. Users      over system ownership.           designed to achieve the control\n    unauthorized            back up their applications                                       objective specified, however,\n    modification or         and data on the schedule        We interviewed NITC system       OCIO/NITC recognized the need\n    destruction.            they deem appropriateOn         administrators regarding back-   to create contingency plans for\n                            midrange server                 up procedures taken.             OCIO/NITC-owned general\n                            environments, NITC system                                        support systems, and\n                            administrators rotate           We requested the most current    telecommunications. (See\n                            customer backup tapes off       Contingency/ Disaster Recover    Finding 1.)\n                            site at customer request and    Plans for OCIO/NITC\n                            use the mainframe as a          Infrastructure Support,\n                            supplemental backup media       Mainframe and General\n                            through IBM\xe2\x80\x99s Tivoli            Support Systems.\n                            Storage Manager.\n                       b.   Procedures are documented\n                            in the NITC Disaster\n                            Recovery Plans.\n12. Assess the         a.   Risk assessments are            We obtained and reviewed risk    The control structure policies and\n    vulnerability of        performed on OCIO/NITC          assessments performed on         procedures were suitably\n    the                     systems.                        OCIO/NITC systems.               designed to achieve the control\n    OCIO/NITC to       b.   A Contingency Plan for                                           objective specified, however,\n    physical and            Alternate Site Operations is    We reviewed desk exercises       OCIO/NITC had not conducted a\n    other disasters,        in place. A plan for            conducted relating to disaster   Business Impact Analysis (BIA)\n    and put in place        midrange server                 recovery.                        before completing their risk\n    procedures for          environments has not been                                        assessments. The BIA purpose is\n    maintaining             documented. It will be in the   We requested OCIO/NITC           to correlate specific system\n    essential               next issuance of the            Contingency Plans.               components with the critical\n    operations after        contingency plan.                                                services that they provide, and\n    such an            c.   The USDA Internet Access        We determined if                 based on that information,\n    occurrence.             network provides the            communication software           characterize the consequences of\n                            physical medium for the         logical controls have been       a disruption to the system.\n                            OCIO/NITC wide area             implemented.                     Without the BIA first,\n                            network.                                                         OCIO/NITC cannot be assured\n                                                                                             that all system components and\n                                                                                             critical services were adequately\n                                                                                             identified, prioritized, and\n                                                                                             included in the risk assessment.\n                                                                                             (See Finding 1.)\n\n                                                                                             Unencrypted access from the\n                                                                                             Internet is still available, even\n                                                                                             though OCIO/NITC planned to\n                                                                                             have this corrected by\n                                                                                             01/01/2004. (See Finding 3.)\n\n\n\n\nUSDA/OIG-A/88501-1-FM                                                                                                        Page 24\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                    Exhibit A \xe2\x80\x93 Page 10 of 10\n  CONTROL                     CONTROL\n  OBJECTIVE                  TECHNIQUES                      TESTS PERFORMED                         CONCLUSION\n13. Evaluate and      a.   Vulnerabilities are assessed    We determined if OCIO/NITC         The control structure policies and\n    substantiate IT        on a regular basis through      periodically identifies            procedures were not suitably\n    controls on a          risk assessments,               significant threats to the well-   designed to achieve the control\n    regular basis.         vulnerability assessments,      being of sensitive and critical    objective specified.\n                           and security testing.           resources and identifies related\n                      b.   Develop and periodically test   risks.                             No procedures exist to allow for\n                           a plan that will allow                                             security staff oversight of the\n                           OCIO/NITC to recover            We interviewed OCIO/NITC           midrange environment. (See\n                           operating systems and           officials to determine if all      Finding 2)\n                           software at the Alternate       network devices were\n                           Operations Site within 72       periodically scanned.              OCIO/NITC had not documented\n                           hours after disaster                                               justification of their firewall\n                           declaration. A disaster         We obtained and reviewed scan      configuration. (See Finding 2.)\n                           recovery plan has been          reports of selected systems.\n                           developed and tested to                                            Network devices were not\n                           restore the Tivoli Storage      We interviewed OCIO/NITC           scanned for the first 9 months of\n                           Manager Server, which is a      security staff to determine the    FY 2004. (See Finding 2.)\n                           component of the midrange       oversight of the security staff\n                           disaster recovery strategy.     on the midrange environment.       OCIO/NITC recognized the need\n                           An AIX recovery strategy                                           to create contingency plans for\n                           has been developed and          We requested OCIO/NITC             OCIO/NITC-owned general\n                           tested.                         Contingency Plans.                 support systems, and\n                                                                                              telecommunications. (See\n                                                           We reviewed firewall rules to      Finding 1.)\n                                                           ensure NIST and OCIO\n                                                           guidelines were being\n                                                           followed.\n14. Provide an        a.   Ensure terminated               We tested access controls over     The control structure policies and\n    appropriate            employees are disallowed        selected midrange servers to       procedures were not suitably\n    level of               access to the NITC and          determine if terminated            designed to achieve the control\n    personnel              NITC resources.                 employees were disallowed          objective specified. OCIO/NITC\n    security and                                           access to NITC resources.          did not have procedures in place\n    security                                                                                  to reconcile user IDs to employee\n    awareness.                                                                                lists.\n\n                                                                                              We identified that OCIO/NITC\n                                                                                              has weak controls over timely\n                                                                                              removal of unneeded user\n                                                                                              accounts.\n\n\n\n\nUSDA/OIG-A/88501-1-FM                                                                                                        Page 25\n\x0c'